India has proposed a sweeping new data privacy law that dictates how companies handle their citizens’ data, including allowing information to be transferred across borders with certain countries, three months after it did. The previous suggestion was withdrawn abruptly After scrutiny and concerns from privacy advocates and tech giants.
The country’s Ministry of Information Technology published a proposed draft rules (PDF), called the Digital Personal Data Protection Bill 2022, is out on Friday for public consultation. He will hear from the public until December 17th.
“The purpose of this Act is to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes, and for matters associated with or relating thereto,” the draft says.
The draft would allow cross-border interactions of data with “certain notified countries and regions,” in a move seen as a win for tech companies.
“The Central Government may, after assessing such factors as it may deem necessary, notify those countries or territories outside India to which the data custodian may transfer personal data, on such terms and conditions as may be specified,” the draft says, without naming the countries.
The Asia Internet Coalition, a lobbying group representing Meta, Google, Amazon and several other technology companies, has asked New Delhi to allow cross-border data transfers. “Cross-border transfer decisions should be free from executive or political interference, and should be regulated with minimal regulation,” they wrote in a letter to the Ministry of Information Technology earlier this year.
“Limiting cross-border data flows is likely to lead to higher business failure rates, introduce barriers to start-ups, and lead to more expensive product offerings from existing market players. Ultimately, the above mandates will affect digital inclusion and empowerment of Indian consumers. on truly global Internet access and quality of services,” the group said.
The draft also suggests that companies use data they collect about users only for the purpose for which they were originally obtained. It also seeks accountability from companies for ensuring that they process users’ personal data for the specific purpose for which they collected it.
It also requires companies not to store data permanently by default. “Storage should be limited to the period necessary for the stated purpose for which the personal data was collected,” said a note from the ministry.
The draft proposes a penalty of up to $30.6 million if the company fails to provide “reasonable security safeguards to prevent a personal data breach.” Another $24.5 million fine if the company fails to notify the local authority and users for failing to disclose the personal data breach.
Previous proposed rules have been promoted to help protect citizens’ personal data by categorizing it into different segments based on their nature, such as sensitive or critical. However, the new version does not separate the data as such, according to the draft.
Similar to the General Data Protection Regulation in Europe and the CCPA (California Consumer Privacy Act) in the United States, India’s proposed Digital Personal Data Protection Act of 2022 will apply to companies operating in the country and to any entities that process Indian nationals’ data.
The proposed rules, which are expected to be debated in Parliament after receiving public consultations, will not bring any changes to the selection of controversial laws in the country that were drafted more than a decade ago. Despite this, New Delhi is updating its two-decade-old IT law which will debut as the Digital India Act. India’s Minister of State for Information Technology, Rajiv Chandrasekhar, told TechCrunch in a recent interview that he would cut out the middlemen and get to the end game.
In August, the Indian government withdrew the previous Personal Data Protection Bill that was unveiled in 2019 after much anticipation and judicial pressure. At the time, India’s Information Technology Minister Ashwini Vaishinaw said the withdrawal was tantamount to “introducing a new bill that fits into the overall legal framework”.
Meta, Google, and Amazon were among the companies that owned it He expressed his concerns On some recommendations of the Joint Parliamentary Committee regarding the proposed draft law.
The move came to pass the Data Protection Act in which privacy was declared a fundamental right by the Supreme Court of India in 2017. However, the country faced heavy criticism over previous data protection bills due to their intrinsic nature of giving government agencies the power to access citizens’ data.
In one of the sessions during the G20 summit in Bali earlier this week, Prime Minister Narendra Modi Talk about the principle of “data for development” He said the country will work with G20 partners to achieve “digital transformation in the life of every human being” during its presidency next year of the 19th Intergovernmental Forum, which includes 19 countries.